By Ashutosh GawaliSecurity Controls is an act, process or countermeasure to limit the damage and impact of a Risk. Security Controls can also be used as a preventive, detective, defensive, and corrective measures against the security incidents. Risk is the probability of occurrence of a threat.
The purpose of Security Control is to maintain the integrity, availability, and confidentiality of the data using a combination of different processes, policies, tools, and strategies in the organization.
Table of contents
Types of Security Controls.
Security Controls can be broadly classified into Security Controls Categories and Security Controls Types.
Control Category.
Security Control category shows how the security control are applied in the organization. The Security Control categories are Technical Control, Managerial Control, Operational Control and Physical Control.
Technical Control.
The technical controls are implemented by the IT team / Security team of the organization. The primary focus of technical control is to minimize the vulnerabilities in organizations technical systems (Servers, Networks and other infrastructure) in order to protect the organization system and data. The examples of Technical Controls are below
- Firewall: Firewall rules will prevent unauthorized network access.
- Access Control Lists: rule to grant or deny access to the organization resource.
- Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS).
- Data Encryption: convert the sensitive data in coded form making it unreadable for unauthorized user.
- Antivirus software.
Managerial / Administrative Control.
Managerial Controls are organization regulatory policies, procedures and practices written by the organization’s management (managers and executives). This control focuses on decisions and the management of risk. Example: Internet usage policy in the organization, or the background verification process for new employee. The examples of Managerial / Administrative Controls are below.
- Periodic Risk Assessment: systematic identification, evaluation, and mitigation of potential risks within an organization.
- Penetration Testing / Vulnerability Scanning.
- Formal Change Management procedure.
Operational Control.
It refers to strategies and procedures that ensures smooth execution of daily business activities and processes necessary for delivering goods and services. It involves evaluating, monitoring and adjusting the processes within an organization so that the organizations can enhance their overall performance and achieve their objectives effectively. The examples of Operational Controls are below.
- Security awareness training: By providing regular training sessions, we can reduce the risk of security incidents caused by human error.
- User access management: It involves the identification, control and management of specific users access to the system, application or data. This reduces the chances of unauthorized access of the resources and ensures that the specific user will only have access to the resources they need.
- Incident response procedures: It refers to the plan (steps) that needs to be followed in the event of security breach (security incident). It aims to mitigate damage and prevent recurrence of the security incident.
Physical Control.
Physical Security control refers to the procedure and techniques that helps in physically securing the organizations assets, data and resources. Examples of physical security control are Locks / keys, Gates / fences, Biometric systems (fingerprint verification, access control cards),Motion sensors, Alarm systems, CCTVs.
Comparison of Control Categories.
| Technical Control | Managerial / Administrative Control. | Operational Control. | Physical Control | |
| Goal | protect organizations system and data | creating policies, procedures and guidelines to mitigate potential risks | ensures smooth execution of organizations daily business activities | Protect organization physical assets |
| Responsible Team | IT / Security team | Senior Management and Executives | Security team | Security team |
| Example | Firewall, Antivirus | Penetration Testing, Vulnerability Scanning | User access management, Security awareness training | Security guard, CCTV’s |
Control Types.
Security Controls are further classified into Control types based on time when they are used (before the security incident or after the security incident).
Preventive Control.
As the name suggests, preventive control focuses on preventing the security incident by identifying, blocking, or eliminating the potential threat, before it can cause any harm to the organization assets, data or resources. Examples of preventive controls are Access control, Firewalls, Antivirus, DLP solutions, Intrusion Prevention System.
Deterrent Control.
Deterrent control aims to psychologically discourage an individual from performing undesired behaviour or activity. They create a perception of risk or punishment to deter potential offenders. Example: Warning signs stating that the systems are being monitored, strong security policies, and the presence of security personnel.
Detective Control.
Detective Controls aims to identify (detect) the security events that already occurred. It helps us to dig more into why and how the security incident occurred. Example: analysing the data from audit logs, SEIM. motion detectors, CCTV monitors, and alarms are also few other examples.
Corrective Control.
Corrective Controls are reactive measures taken in order to mitigate the damage after the security incident and it helps in restoring the normal operation of the system. Examples: data backup restoration, updating the patch for a software vulnerability.
Compensating Control.
Compensating controls are the alternative controls that are used when primary controls are not feasible or sufficient to meet the demands. Example: An organization has security policy to use MFA for authentication, If a third party software vendor does not support MFA, then the organization might use time-based one-time passwords (TOTP) as a temporary access method. Deploying security guards when electronic access control systems are inoperable.
Directive Control.
Directive Controls are used to persuade individuals not to violate the security policies and procedures by providing specific instructions or guidelines so that the individual should adhere to security practices within an organization. Example: standard operating procedures (SOPs) that detail step-by-step instructions for completing tasks. Acceptable Use Policy (AUP) of company resources.
Comparison of Control Types.
| Preventive control | Deterrent control | Detective control | Corrective control | Compensating control | Directive control | |
| Goal | Prevent the security incident | Discourage the action that will lead to a security incident | identifies the security incident that already occurred | Mitigate the damage by the security incident | Provide an alternative to primary control method | Provides documentation of best practices in the organization |
| When it is used | Before security incident | Before security incident | After security incident | After security incident | Before security incident | Before security incident |
| Example | Firewall, Antivirus | Security warnings, CCTV’s | intrusion Detection System (IDS) | Data backup restoration | Deploying security guards when electronic access control systems are inoperable | Documentation of best practices, standard operating procedures (SOPs) |
Conclusion.
Security Control can be classified based on category, that means who design the control and how the control is implemented (Technical, Managerial, Operational, Physical) or it can be classified based on type, when it is used (before or after the security incident (Preventive, Deterrent, Detective, Corrective, Compensating, Directive)). The control category and control type both work together to create comprehensive and structured set of policies, practices, tools, and controls that works towards safeguarding an organization’s assets and data.
This is really helpful information to get the kickstart in Security+ preparation. Thank you for providing the information. Looking forward for more such content related to security fundamentals.
Thank you